add network security perimeter to some resources

mrWinston · mrWinston · commit 977f65e3172e · 2025-09-22T15:46:48.000+02:00
diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.5.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v7 v7.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.4.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0
diff --git a/go.sum b/go.sum
@@ -32,6 +32,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0 h1:L7G3d
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.3.0/go.mod h1:Ms6gYEy0+A2knfKrwdatsggTXYA2+ICKug8w7STorFw=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0 h1:HYGD75g0bQ3VO/Omedm54v4LrD3B1cGImuRF3AJ5wLo=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v7 v7.0.0 h1:qZQVUcgr3ZUsyt8lf4FS+Wjj1NxyPaMY7Nj/3UiFgO4=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v7 v7.0.0/go.mod h1:vbbC5kaJ8H3mz4GIXafT5thlUo2qzW46Zzl1dKKpZVk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
diff --git a/pkg/deploy/assets/gateway-production-predeploy.json b/pkg/deploy/assets/gateway-production-predeploy.json
@@ -115,6 +115,39 @@
                 "enableSoftDelete": true
             },
             "apiVersion": "2019-09-01"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "location": "[resourceGroup().location]",
+            "name": "gateway-nsp",
+            "properties": {},
+            "type": "Microsoft.Network/networkSecurityPerimeters"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters', 'gateway-nsp')]"
+            ],
+            "name": "gateway-nsp/default",
+            "type": "Microsoft.Network/networkSecurityPerimeters/profiles"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'gateway-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-gwy'))]"
+            ],
+            "name": "gateway-nsp/gateway-keyvault",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-gwy'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'gateway-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
         }
     ]
 }
diff --git a/pkg/deploy/assets/rp-development-predeploy.json b/pkg/deploy/assets/rp-development-predeploy.json
@@ -322,6 +322,75 @@
                     ]
                 }
             }
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "location": "[resourceGroup().location]",
+            "name": "aro-keyvaults-nsp",
+            "properties": {},
+            "type": "Microsoft.Network/networkSecurityPerimeters"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters', 'aro-keyvaults-nsp')]"
+            ],
+            "name": "aro-keyvaults-nsp/default",
+            "type": "Microsoft.Network/networkSecurityPerimeters/profiles"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-cls'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-cls",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-cls'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-por'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-por",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-por'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-svc'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-svc",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-svc'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
         }
     ]
 }
diff --git a/pkg/deploy/assets/rp-development.json b/pkg/deploy/assets/rp-development.json
@@ -117,6 +117,39 @@
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
             ]
         },
+        {
+            "apiVersion": "2024-07-01",
+            "location": "[resourceGroup().location]",
+            "name": "cosmos-nsp",
+            "properties": {},
+            "type": "Microsoft.Network/networkSecurityPerimeters"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters', 'cosmos-nsp')]"
+            ],
+            "name": "cosmos-nsp/default",
+            "type": "Microsoft.Network/networkSecurityPerimeters/profiles"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'cosmos-nsp', 'default')]",
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "name": "cosmos-nsp/cosmos-nsp-association",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'cosmos-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
         {
             "name": "[guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / Reader')]",
             "type": "Microsoft.Authorization/roleAssignments",
diff --git a/pkg/deploy/assets/rp-production-predeploy.json b/pkg/deploy/assets/rp-production-predeploy.json
@@ -319,6 +319,75 @@
                 }
             }
         },
+        {
+            "apiVersion": "2024-07-01",
+            "location": "[resourceGroup().location]",
+            "name": "aro-keyvaults-nsp",
+            "properties": {},
+            "type": "Microsoft.Network/networkSecurityPerimeters"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters', 'aro-keyvaults-nsp')]"
+            ],
+            "name": "aro-keyvaults-nsp/default",
+            "type": "Microsoft.Network/networkSecurityPerimeters/profiles"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-cls'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-cls",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-cls'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-por'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-por",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-por'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]",
+                "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-svc'))]"
+            ],
+            "name": "aro-keyvaults-nsp/nsp-svc",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '-svc'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'aro-keyvaults-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
         {
             "properties": {
                 "protocol": "Tcp",
diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
@@ -1178,6 +1178,39 @@
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
             ]
         },
+        {
+            "apiVersion": "2024-07-01",
+            "location": "[resourceGroup().location]",
+            "name": "cosmos-nsp",
+            "properties": {},
+            "type": "Microsoft.Network/networkSecurityPerimeters"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters', 'cosmos-nsp')]"
+            ],
+            "name": "cosmos-nsp/default",
+            "type": "Microsoft.Network/networkSecurityPerimeters/profiles"
+        },
+        {
+            "apiVersion": "2024-07-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'cosmos-nsp', 'default')]",
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "name": "cosmos-nsp/cosmos-nsp-association",
+            "properties": {
+                "accessMode": "Learning",
+                "privateLinkResource": {
+                    "id": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+                },
+                "profile": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', 'cosmos-nsp', 'default')]"
+                }
+            },
+            "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
+        },
         {
             "name": "[guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / Reader')]",
             "type": "Microsoft.Authorization/roleAssignments",
diff --git a/pkg/deploy/generator/resources.go b/pkg/deploy/generator/resources.go
@@ -6,6 +6,7 @@ package generator
 import (
 	"fmt"
 
+	sdknetwork "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v7"
 	mgmtdns "github.com/Azure/azure-sdk-for-go/services/dns/mgmt/2018-05-01/dns"
 	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
@@ -44,6 +45,56 @@ func (g *generator) dnsZone(name string) *arm.Resource {
 	}
 }
 
+func (g *generator) networkSecurityPerimeter(name string) *arm.Resource {
+
+	return &arm.Resource{
+		Resource: &sdknetwork.SecurityPerimeter{
+			Location:   pointerutils.ToPtr("[resourceGroup().location]"),
+			Properties: &sdknetwork.SecurityPerimeterProperties{},
+			Name:       &name,
+			Type:       pointerutils.ToPtr("Microsoft.Network/networkSecurityPerimeters"),
+		},
+		APIVersion: azureclient.APIVersion("Microsoft.Network/networkSecurityPerimeters"),
+	}
+}
+
+// networkSecurityPerimeterProfile creates a new nsp profile with the hardcoded name `default`.
+func (g *generator) networkSecurityPerimeterProfile(nspName string) *arm.Resource {
+	return &arm.Resource{
+		Resource: &sdknetwork.NspProfile{
+			Name: pointerutils.ToPtr(fmt.Sprintf("%s/default", nspName)),
+			Type: pointerutils.ToPtr("Microsoft.Network/networkSecurityPerimeters/profiles"),
+		},
+		APIVersion: azureclient.APIVersion("Microsoft.Network/networkSecurityPerimeters/profiles"),
+		DependsOn: []string{
+			fmt.Sprintf("[resourceId('Microsoft.Network/networkSecurityPerimeters', '%s')]", nspName),
+		},
+	}
+}
+
+func (g *generator) networkSecurityPerimeterAssociation(nspName string, associationName string, targetResourceId string) *arm.Resource {
+	return &arm.Resource{
+		Resource: &sdknetwork.NspAssociation{
+			Properties: &sdknetwork.NspAssociationProperties{
+				AccessMode: pointerutils.ToPtr(sdknetwork.AssociationAccessModeLearning),
+				PrivateLinkResource: &sdknetwork.SubResource{
+					ID: &targetResourceId,
+				},
+				Profile: &sdknetwork.SubResource{
+					ID: pointerutils.ToPtr(fmt.Sprintf("[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', '%s', 'default')]", nspName)),
+				},
+			},
+			Name: pointerutils.ToPtr(fmt.Sprintf("%s/%s", nspName, associationName)),
+			Type: pointerutils.ToPtr("Microsoft.Network/networkSecurityPerimeters/resourceAssociations"),
+		},
+		APIVersion: azureclient.APIVersion("Microsoft.Network/networkSecurityPerimeters/resourceAssociations"),
+		DependsOn: []string{
+			fmt.Sprintf("[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', '%s', 'default')]", nspName),
+			targetResourceId,
+		},
+	}
+}
+
 func (g *generator) securityGroup(name string, securityRules *[]mgmtnetwork.SecurityRule, condition interface{}) *arm.Resource {
 	return &arm.Resource{
 		Resource: &mgmtnetwork.SecurityGroup{
diff --git a/pkg/deploy/generator/resources_gateway.go b/pkg/deploy/generator/resources_gateway.go
@@ -32,6 +32,23 @@ func (g *generator) gatewayManagedIdentity() *arm.Resource {
 	}
 }
 
+func (g *generator) gatewayKeyvaultPerimeterAssociation() *arm.Resource {
+	gwKvResId := fmt.Sprintf(
+		"[resourceId('Microsoft.KeyVault/vaults', concat(parameters('keyvaultPrefix'), '%s'))]",
+		env.GatewayKeyvaultSuffix,
+	)
+
+	return g.networkSecurityPerimeterAssociation("gateway-nsp", "gateway-keyvault", gwKvResId)
+}
+
+func (g *generator) gatewayNetworkSecurityPerimeterProfile() *arm.Resource {
+	return g.networkSecurityPerimeterProfile("gateway-nsp")
+}
+
+func (g *generator) gatewayNetworkSecurityPerimeter() *arm.Resource {
+	return g.networkSecurityPerimeter("gateway-nsp")
+}
+
 func (g *generator) gatewaySecurityGroup() *arm.Resource {
 	return g.securityGroup("gateway-nsg", nil, g.conditionStanza("deployNSGs"))
 }
diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
diff --git a/pkg/deploy/generator/templates_gateway.go b/pkg/deploy/generator/templates_gateway.go
diff --git a/pkg/deploy/generator/templates_rp.go b/pkg/deploy/generator/templates_rp.go
diff --git a/pkg/util/azureclient/apiversions.go b/pkg/util/azureclient/apiversions.go
